Security flaws on the global network that routes the world's cellphone calls and texts could allow hackers and criminals to listen in on private calls and intercept messages, and can even get through the sophisticated encryption methods most cellular companies use, German researchers have discovered.
Experts plan to reveal how the vulnerabilities on the SS7 network, which was designed in the 1980s, can undermine customers' privacy, reports
The Washington Post.
The flaws come through functions that were built into the system to facilitate it for other purposes, including keeping calls connected while users travel, which involves switching signals between cell towers.
But hackers can repurpose the functions because security is low on the network, the researchers found, and people who are skilled at the SS7 functions can track down callers anywhere, worldwide.
Further, they can listen in on calls while they are going on or record the calls and texts for later use.
Carriers are spending billions to upgrade to more advanced 3G technology, but while that is going on, carriers still communicate with SS7, which leads their customers open to hacking through carriers that have access to the network.
“It’s like you secure the front door of the house, but the back door is wide open,” Tobias Engel, one of the German researchers, told The Post.
Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, discovered the weaknesses separately after The Post reported dozens of nations had bought surveillance systems to use the SS7 networks to locate the world's callers.
The researchers did not find evidence that governments have been using the vulnerabilities, but such flaws are often tools being used by intelligence services like the National Security Agency, The Post notes.
“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said American Civil Liberties Union principal technologist Christopher Soghoian. “They’ve likely sat on these things and quietly exploited them.”
GSMA, a London global cellular industry group, has acknowledged there are problems with the network, which is to be replaced over the next 10 years.
The German researchers found two different ways to hack into calls using the SS7 system. Commands can be used to tap into a phone's forwarding function, allowing hackers to redirect phone calls to themselves so they can eavesdrop or record the calls.
In addition, another technique would allow the use of radio antennas to collect calls and texts going through airwaves in a certain area.
And even if the system is going through encryption, hackers could seek a temporary key to unlock the communications.
“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”
The tests included more than 20 networks worldwide, and T-Mobile in the United States. Nohl and Engle said other U.S. networks likely have similar flaws, although smartphone systems like Apple's iMessage and Whatsapp use encryption methods that sidestep traditional cellular text systems.
T-Mobile commented that it "remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks."
Engel said he doubts he and Nohl are the first to realize "how open the SS7 network is," even though eavesdropping on calls violates most countries' laws, unless it is done through a court or government order.
A German senator, Thomas Jarzombek, who participated in Nohl's research, said many in his country are still angry over revelations of
NSA spying on leader Angela Merkel and others, and will not be surprised by the revelations.
"After all the NSA and [Edward] Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone," he said. "When I really need a confidential conversation, I use a fixed-line" phone.